Passing base64 encoded strings in URL

前端 未结 10 1639
臣服心动
臣服心动 2020-11-22 03:11

Is it safe to pass raw base64 encoded strings via GET parameters?

相关标签:
10条回答
  • 2020-11-22 03:47

    Yes, it is always safe. of course base64 contains: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/= but a base64 encoded string usually have no +. +will be converted into a blank space, results in wrong decoded string. / is safe in a get parameters pair. = is always at the end of the base64 encoded string and the server side can resolve = directly.

    0 讨论(0)
  • 2020-11-22 04:00

    @joeshmo Or instead of writing a helper function, you could just urlencode the base64 encoded string. This would do the exact same thing as your helper function, but without the need of two extra functions.

    $str = 'Some String';
    
    $encoded = urlencode( base64_encode( $str ) );
    $decoded = base64_decode( urldecode( $encoded ) );
    
    0 讨论(0)
  • 2020-11-22 04:00

    I don't think that this is safe because e.g. the "=" character is used in raw base 64 and is also used in differentiating the parameters from the values in an HTTP GET.

    0 讨论(0)
  • 2020-11-22 04:01

    No, you would need to url-encode it, since base64 strings can contain the "+", "=" and "/" characters which could alter the meaning of your data - look like a sub-folder.

    Valid base64 characters are below.

    ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
    
    0 讨论(0)
  • 2020-11-22 04:02

    Introductory Note I'm inclined to post a few clarifications since some of the answers here were a little misleading (if not incorrect).

    The answer is NO, you cannot simply pass a base64 encoded parameter within a URL query string since plus signs are converted to a SPACE inside the $_GET global array. In other words, if you sent test.php?myVar=stringwith+sign to

    //test.php
    print $_GET['myVar'];
    

    the result would be:
    stringwith sign

    The easy way to solve this is to simply urlencode() your base64 string before adding it to the query string to escape the +, =, and / characters to %## codes. For instance, urlencode("stringwith+sign") returns stringwith%2Bsign

    When you process the action, PHP takes care of decoding the query string automatically when it populates the $_GET global. For example, if I sent test.php?myVar=stringwith%2Bsign to

    //test.php
    print $_GET['myVar'];
    

    the result would is:
    stringwith+sign

    You do not want to urldecode() the returned $_GET string as +'s will be converted to spaces.
    In other words if I sent the same test.php?myVar=stringwith%2Bsign to

    //test.php
    $string = urldecode($_GET['myVar']);
    print $string;
    

    the result is an unexpected:
    stringwith sign

    It would be safe to rawurldecode() the input, however, it would be redundant and therefore unnecessary.

    0 讨论(0)
  • 2020-11-22 04:05

    Yes and no.

    The basic charset of base64 may in some cases collide with traditional conventions used in URLs. But many of base64 implementations allow you to change the charset to match URLs better or even come with one (like Python's urlsafe_b64encode()).

    Another issue you may be facing is the limit of URL length or rather — lack of such limit. Because standards do not specify any maximum length, browsers, servers, libraries and other software working with HTTP protocol may define its' own limits.

    0 讨论(0)
提交回复
热议问题